When the Auditor is Tricking Your Business
-
@Dashrender said in When the Auditor is Tricking Your Business:
@scottalanmiller said in When the Auditor is Tricking Your Business:
@Dashrender said in When the Auditor is Tricking Your Business:
@scottalanmiller said in When the Auditor is Tricking Your Business:
@Dashrender said in When the Auditor is Tricking Your Business:
@scottalanmiller said in When the Auditor is Tricking Your Business:
So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.
So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.
This is a horrible assumption!
The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.
The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?
Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.
Corruption. Is there really no published process for letting the OCR know that something is amiss?
I haven't had to deal with the OCR about this, so I don't know.. but was have had to deal with Medicare audits, every three years. They made us replace several pieces of gear because the old gear didn't have the new that year UL codes on them. The equipment was fine last year, suddenly not fine this year.
That stuff is different. Ridiculous, of course, but not a security violation. And this isn't technically either, but gets pretty close. But basically you have an auditor threatening to fail you based on criteria that he can't state AND he has access to your systems when he can't be trusted. Checking out extension cords doesn't compromise security.
-
@scottalanmiller said in When the Auditor is Tricking Your Business:
@Dashrender said in When the Auditor is Tricking Your Business:
@scottalanmiller said in When the Auditor is Tricking Your Business:
@Dashrender said in When the Auditor is Tricking Your Business:
@scottalanmiller said in When the Auditor is Tricking Your Business:
@Dashrender said in When the Auditor is Tricking Your Business:
@scottalanmiller said in When the Auditor is Tricking Your Business:
So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.
So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.
This is a horrible assumption!
The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.
The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?
Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.
Corruption. Is there really no published process for letting the OCR know that something is amiss?
I haven't had to deal with the OCR about this, so I don't know.. but was have had to deal with Medicare audits, every three years. They made us replace several pieces of gear because the old gear didn't have the new that year UL codes on them. The equipment was fine last year, suddenly not fine this year.
That stuff is different. Ridiculous, of course, but not a security violation. And this isn't technically either, but gets pretty close. But basically you have an auditor threatening to fail you based on criteria that he can't state AND he has access to your systems when he can't be trusted. Checking out extension cords doesn't compromise security.
that wasn't about security specifically, it was about all aspects of the business, up to and including security - but their check sheet currently doesn't have much on it for IT security, so they don't ask much there.
-
@scottalanmiller said in When the Auditor is Tricking Your Business:
How does "legit" and that go together? That his boss was able to cover doesn't make it legit. Could someone be confused to that degree? Maybe. Was it likely? not very.
By legit I meant not a social engineer. He represented a legit company, though he was not reputable himself. Maybe he wanted it so he could sell it later, who knows
-
@scottalanmiller said in When the Auditor is Tricking Your Business:
I truly believe that nearly all are scams. Some are scams just to take your money for not doing the audit that they promised to do.
Or to take your money by threatening an audit and hoping you'll compensate by over-licensing to death. We just went through our MS SQL true-up. Good god. When Microsoft can prove to me at the binary level that one thread from a VM is able to schedule two hyper-threaded siblings from the same core at the same time, contradicting all of their other documentation, THEN I'll pay for twice the SQL licensing just because I have hyper-threading turned on on my host. Friggin thieves.
-
@TAHIN said in When the Auditor is Tricking Your Business:
@scottalanmiller said in When the Auditor is Tricking Your Business:
How does "legit" and that go together? That his boss was able to cover doesn't make it legit. Could someone be confused to that degree? Maybe. Was it likely? not very.
By legit I meant not a social engineer. He represented a legit company, though he was not reputable himself. Maybe he wanted it so he could sell it later, who knows
How do you know that he wasn't a social engineer? What he did is exactly what a social engineer would do when caught. How did you determine that he wasn't trying to trick you and that he was only incompetent?